Business Associate Agreement

Transcription

1 This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement ( BAA or the within Agreement ) is entered into on the day of, 2014, between University Hospital ( UH or the Hospital ), an instrumentality of the State of New Jersey, corporate and politic, having its principal offices at 150 Bergen Street, Newark, New Jersey (hereinafter referred to as Covered Entity ) and, having its principal administrative offices at (hereinafter referred to as Business Associate ) (the Covered Entity and Business Associate hereinafter collectively referred to as the Parties ). Any conflict between the terms of this BAA and the Underlying Agreement between the Parties shall be governed by the terms of this BAA. WHEREAS, in connection with the Underlying Agreement the Business Associate provides services to Covered Entity and Covered Entity discloses to Business Associate certain Protected Health Information that is subject to protection under the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ), the Health Information Technology for Economic and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act of 2009) (the HITECH Act ), and regulations promulgated by the U.S. Department of Health and Human Services (the HHS ) (hereinafter the HIPAA Regulations ) and/or applicable state and/or local laws and regulations; and WHEREAS, for good and lawful consideration and with acknowledgment of the mutual promises, set forth in the Underlying Agreement and herein, the Parties, intending to be legally bound, hereby agree as follows: I. Definitions 1 A. Breach means the unauthorized acquisition, access, use, or disclosure of protected health information ( PHI ) which compromises the security or privacy of such information in violation of HIPAA, the HITECH Act and/or the HIPAA Regulations, except where a good faith belief exists that unauthorized persons to whom such information is disclosed would not reasonably have been able to retain such information. The term Breach does not include: 1. Any unintentional acquisition, access, or use of PHI by an employee, a workforce member or person acting under the authority of a Covered Entity or Business Associate if: 1 An expanded definition of the following terms as well as the definition of other relevant terms are available on UH s website at M700N_ _ pdf. Terms used in this Business Associate Agreement but not otherwise defined shall have the meaning ascribed to those terms in HIPAA, the HITECH Act, and any current and future regulations promulgated under HIPAA and/or the HITECH Act. See 45 C.F.R , and

2 a. Such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee, workforce member or person, respectively, with the Covered Entity or Business Associate; and b. Does not result in further unauthorized use or disclosure; or 2. Any inadvertent disclosure by a person who is otherwise authorized to access PHI at a Covered Entity or Business Associate to another, similarly authorized person at the same Covered Entity, Business Associate or organized health care arrangement in which the Covered Entity participates, and such information received as a result of such disclosure is not further used or disclosed in an impermissible manner. B. Business Associate means a service provider that receives PHI from, or creates or maintains PHI on behalf of, a Covered Entity including, but not limited to, claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefits management, practice management, repricing, transcription, legal, actuarial, accounting, consulting, data aggregation, administrative, accreditation or financial services, and vendors that offer personal health records to patients as part of a Covered Entity s electronic health record, where the service or function involves the use or disclosure of individually identifiable health information from the Covered Entity or from another Business Associate of the Covered Entity. A Business Associate excludes, among others, employees of Covered Entities. 1. Pursuant to the HIPAA Omnibus Final Rule effective March 26, 2013, for compliance by September 23, 2013 (hereinafter the Omnibus Final Rule ), a Business Associate also includes any contractor, subcontractor, agent, employee and/or representative (collectively referred to hereinafter as Contractors ) who will perform any services under the Underlying Agreement and/or the within Agreement for or on behalf of the party to this Agreement who is defined as the Business Associate. 2. Contractors shall execute the Covered Entity s business associate agreement and/or the business associate agreement of the party who is defined as the Business Associate in the within Agreement. Any and all such business associate agreements between the party defined as the Business Associate in the within Agreement and its Contractors shall be executed and should be attached hereto; they shall be made a part of this BAA and the Underlying Agreement, as though fully set forth herein, whether or not they are actually executed and/or actually attached hereto. C. Covered Entities include (i) health care providers that transmit patient health information electronically in connection with a covered transaction, (ii) health plans (including employer-sponsored employee welfare benefit plans and self-insured employer-offered health plans), and (iii) health care clearinghouses. D. Data Aggregation means, with respect to PHI created or received by a Business Associate, the combining of PHI received by a Business Associate in its capacity as a Business Associate for more than one Covered Entity, to permit data analyses that relate to the health care operations of the respective Covered Entities. E. Designated Record Set means any grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a Covered Entity that is (i) medical 2

3 records and billing records about individuals, and/or (ii) enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan, used, in whole or in part, by or for the Covered Entity, to make decisions about individuals. F. Electronic Protected Health Information ( Electronic PHI ) means PHI that is transmitted by or maintained in electronic media. G. HIPAA Regulations means the regulations promulgated under HIPAA by the United States Department of Health and Human Services including, but not limited to, the HIPAA Privacy Regulations (45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A and E); the HIPAA Security Regulations (45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A and C); and the HIPAA Breach Notification Regulations (45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A and D); all as amended by the HIPAA Omnibus Final Rule, and as otherwise may be amended from time to time. H. Individual means the person who is the subject of PHI and includes a person who qualifies as a personal representative (45 C.F.R (g)). I. Protected Health Information ( PHI ) means physical and/or mental health and demographic information collected from an individual and created or received by a Covered Entity and/or Business Associate that identifies or could reasonably identify an individual (i.e., is individually identifiable ) and is held or transmitted in any form including electronic media. PHI excludes educational records and employment records held by a Covered Entity as an employer (45 C.F.R ). J. Required By Law means that Covered Entities may use and disclose PHI without individual authorization as required by law (including by statute, regulation, or court orders) in accordance with the requirements in 45 C.F.R (c), (e) or (f). K. Unsecured PHI means PHI not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodology specified by the Secretary of HHS. II. Permitted Uses and Disclosures of PHI by Business Associate A. Except as otherwise limited in this BAA, Business Associate may use and/or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Underlying Agreement, provided that such uses and/or further disclosures (i) do not violate the requirements of HIPAA s Business Associate contract standard at 45 C.F.R (e)(1), the HITECH Act and/or the HIPAA Regulations, if done by the Covered Entity, (ii) are the minimum necessary PHI to accomplish the intended purpose, and/or (iii) are Required By Law. B. Except as otherwise limited in this BAA, Business Associate may use and/or disclose PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of Business Associate, provided, however, that any such uses and/or disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that (i) the PHI will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the 3

4 person, and (ii) the person shall immediately notify the Business Associate following discovery of any instances of which the person is aware in which the confidentiality of the information has been Breached. C. Except as otherwise limited in this BAA, Business Associate may use PHI to provide Data Aggregation services to Covered Entity (42 C.F.R (e)(2)(i)(B)). D. Business Associate may use PHI to report violations of law to appropriate federal and state authorities as permitted under HIPAA and/or other federal and state laws (45 C.F.R (j)(1)). E. The Business Associate and/or Contractors may only use and/or disclose PHI as allowed in the Underlying Agreement and/or this BAA and/or as Required by Law. F. The Business Associate and/or Contractors shall provide the Covered Entity with twenty (20) calendar days prior written notice of its or their intention to use other individuals, as employees, contractors, subcontractors, agents and/or representatives, on the Underlying Agreement. The Covered Entity may demand that it approve of any such individual and that the Business Associate and/or Contractors shall provide evidence of its and/or their compliance with the terms and conditions set forth in the within BAA within ten (10) calendar days of written request by the Covered Entity. G. The Parties to the within BAA agree and acknowledge that all other terms and requirements in the HIPAA Omnibus Final Rule are and shall be incorporated into the Underlying Agreement and/or this BAA as if fully set forth herein including, but not limited to, limitations on marketing and fundraising communications and the sale of PHI. III. Duties and Obligations of Business Associate Related to PHI A. Business Associate shall not use or disclose PHI other than as permitted or required by the Underlying Agreement, this BAA, and/or as Required By Law. Business Associate shall immediately notify Covered Entity of any use and/or disclosure of PHI in violation of HIPAA, the HITECH Act, the HIPAA Regulations, the Underlying Agreement and/or this BAA. B. Business Associate shall use and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of PHI and/or Electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity (in accordance with Subpart C of 45 C.F.R. Part 164), and to prevent use and/or disclosure of PHI other than as provided for by the Underlying Agreement and the within BAA. C. Business Associate shall notify, in writing, the Covered Entity when the Business Associate discovers a Breach of Unsecured PHI. A Breach is deemed to have been discovered by a Business Associate as of the first day on which Business Associate (by its employee, officer, or other agent, other than the person committing the Breach), knows or would have known of such Breach by exercising reasonable diligence. Business Associate s notification to Covered Entity (i.e., UH) and/or the notification to Covered Entity by any contractor, subcontractor, agent, employee and/or representative on behalf of the party to this Agreement 4

5 who is defined as the Business Associate who will perform any services under this Agreement, shall: 1. Be made to the Covered Entity without unreasonable delay and in no event later than ten (10) calendar days following the discovery of a Breach of Unsecured PHI, except in the case of a Business Associate that is an agent of the Covered Entity, in which case the Business Associate must provide the Covered Entity with immediate notification of the Breach of Unsecured PHI, except where law enforcement officials determine that a notification would impede a criminal investigation or cause damage to national security. Unless the language in the Underlying Agreement between the Parties indicates that a Business Associate is an independent contractor, then whether the Business Associate shall be considered an agent of UH shall be determined on a case-by-case basis under federal common law agency principles, for purposes of Breach notification. 2. To the extent possible, provide the identity of each Individual whose Unsecured PHI was, or is reasonably believed to have been, Breached, and any other information that the Covered Entity is required to include in the notice to affected Individuals under 45 C.F.R (c), either at the time of notice of Breach to the Covered Entity or as promptly thereafter as information becomes available. Include information in substantially the same form as in the Policy on Protected Health Information Breach Notification available to Business Associates at Covered Entity s website at D. Business Associate is subject to the same legal requirements to cure, terminate or report violations to the Secretary of HHS under the same duty and in the same manner as Covered Entity. E. Business Associate shall mitigate, to the extent practicable, any harmful effect known to it resulting from an unauthorized use and/or disclosure of PHI and/or Breach of Unsecured PHI. F. Business Associate shall ensure that any contractor, subcontractor, agent, employee and/or representative who will perform any services under this BAA and/or the Underlying Agreement, to whom it provides PHI (i) received from, or (ii) created or received by Business Associate on behalf of, the Covered Entity agrees, in writing, to the same restrictions and conditions that apply through this BAA to Business Associate with respect to such PHI. G. Business Associate (i) shall provide Covered Entity immediate access to its premises for a review and demonstration of its internal practices and procedures for safeguarding PHI and, (ii) to the extent applicable, shall provide immediate access for inspection and copying of PHI in a Designated Record Set at reasonable times at the request of Covered Entity or, as directed by Covered Entity, to an Individual (45 C.F.R ). If Business Associate maintains an Electronic Health Record, Business Associate shall provide such information in electronic format to enable Covered Entity to fulfill its obligations under the HITECH Act (42 U.S.C (e)). If Business Associate maintains one or more Designated Record Sets electronically, Business Associate shall provide such information in the electronic form and format requested by the Individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the Covered Entity and the Individual to enable Covered Entity to fulfill its obligations to the Individual under the HIPAA Regulations. 5

6 H. Business Associate shall, upon request with reasonable notice, provide Covered Entity with an accounting of uses and disclosures of PHI provided to it by Covered Entity. I. Business Associate agrees to use, disclose and request (i) only the minimum necessary PHI, as defined by law, and (ii) to the extent practicable, only the limited data set of PHI excluding direct identifiers, as defined in 45 C.F.R (e)(2). J. Business Associate shall document such disclosures of PHI and information related to such disclosures as would be required for a Covered Entity to respond to a request by an Individual for an accounting of uses and disclosures of PHI (45 C.F.R ). Should a Covered Entity or an Individual request an accounting of uses and disclosures of PHI pursuant to 45 C.F.R , Business Associate agrees to promptly provide Covered Entity with information, in a format and manner sufficient to respond, no later than twenty (20) calendar days after receipt of such written request, subject to specific statutory exceptions, and as otherwise amended from time to time. K. Business Associate shall make its internal practices, books and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, the Covered Entity, available to Covered Entity at the request of Covered Entity, or the Secretary of HHS, for purposes of the Secretary determining Covered Entity s compliance with HIPAA, the HITECH Act and/or the HIPAA Regulations in the time, manner and place designated by the Covered Entity and/or the Secretary of HHS. L. To the extent applicable, Business Associate shall make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to, no later than sixty (60) calendar days after receipt of such request from a Covered Entity or Individual. M. Business Associate agrees to abide by the limitations on marketing communications to Individuals regarding the purchase and use of products or services set forth in the HITECH Act and the HIPAA Regulations. N. Business Associate agrees and acknowledges that the administrative rules governing, and the civil and criminal penalties for violating, HIPAA, the HITECH Act and/or the HIPAA Regulations, apply to it in the same manner as they apply to Covered Entity, as more fully set forth at Covered Entity s website at O. Business Associate agrees to comply with requests for restrictions on use and/or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R , to the extent that such restriction may affect Business Associate s use or disclosure of such PHI. P. If appropriate, Business Associate s Contractors, as that term is defined at Section I.B.1 above, who will acquire, access, receive, review, use and/or disclose PHI from the Covered Entity shall (i) complete the Covered Entity s HIPAA Training prior to commencing services under the Underlying Agreement and annually thereafter, and (ii) execute and/or be governed by the terms and conditions of UH s Business Associate Agreement compliant with HIPAA, the HITECH Act, the HIPAA Regulations, and the accompanying Underlying Agreement whether or not such appropriate business associate agreements and/or representations by Contractors about 6

7 agreeing to be governed by the terms and conditions in the accompanying Underlying Agreement are actually executed and/or actually attached hereto. IV. Term and Termination A. Term. The term of this BAA shall be effective as of the effective date of the Underlying Agreement and shall terminate upon the termination and/or expiration of the Underlying Agreement in accordance with any of the expiration and/or termination provisions in the Underlying Agreement. At the effective date of the expiration and/or termination of the Underlying Agreement, and this BAA, for any reason, all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, shall be destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections shall be extended to such information, in accordance with the termination provisions of this Section IV. B. Termination for Cause By a Material Breach. Upon Covered Entity s knowledge of a material Breach by Business Associate, Covered Entity shall either: 1. Provide an opportunity for Business Associate to cure the Breach or end the violation, and terminate this BAA and the Underlying Agreement if Business Associate does not cure the Breach or end the violation within the time specified by Covered Entity; 2. Immediately terminate this BAA and/or the Underlying Agreement if Business Associate has Breached a material term of this BAA and cure is not possible; or 3. If neither termination nor cure is feasible, Covered Entity shall report the violation to the Secretary of HHS. C. Effect of Termination or Expiration of the BAA. 1. (a) Except as provided in paragraph C.2 of this Section, upon termination and/or expiration of this BAA, for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of Business Associate and/or any contractor, subcontractor, agent, employee and/or representative of Business Associate. Business Associate shall retain no copies of PHI. (b) Except as provided in paragraph C.2 of this Section, if Covered Entity, in its sole discretion, requires that Business Associate destroy any or all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, either due to the termination and/or expiration of this BAA or otherwise, Business Associate shall certify, in writing, to Covered Entity that the PHI has been destroyed and rendered indecipherable, pursuant to HIPAA, the HITECH Act, the HIPAA Regulations and/or the within BAA. This provision also shall apply to PHI that is in the possession of any contractor, subcontractor, agent, employee and/or representative who will perform any services under the Underlying Agreement and/or the within Agreement for or on behalf of the party to this Agreement who is defined as the Business Associate. 7

8 2. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity written notification of the conditions that make return or destruction infeasible within thirty (30) calendar days of such request. In such case, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. This provision also shall apply to PHI that is in the possession of any contractor, subcontractor, agent, employee and/or representative who will perform any services under the Underlying Agreement and/or the within Agreement for or on behalf of the party to this Agreement who is defined as the Business Associate. 3. Should the Business Associate make a disclosure of PHI in violation of this BAA, Covered Entity shall have the right to immediately terminate any contract, other than this BAA, then in force between the Parties, including the Underlying Agreement. 4. The provisions of this Section IV shall survive the termination of this BAA and the Underlying Agreement for any reason. V. Remedies in Event of Breach A. Business Associate agrees and acknowledges that irreparable harm will result to Covered Entity, and to its business, in the event of Breach by Business Associate of any covenants, duties, obligations and assurances in this BAA and further agrees that remedy at law for any such Breach shall be inadequate and that damages resulting therefrom are not susceptible to being measured in monetary terms. In the event of any such Breach or threatened Breach by Business Associate, Covered Entity shall be entitled to (i) immediately enjoin and restrain Business Associate from any continuing violations and (ii) reimbursement for reasonable attorneys fees, costs and expenses incurred as a proximate result of the Breach. The remedies in this Section V shall be in addition to any action for damages and/or other remedy available to Covered Entity for such Breach. B. Insurance and Indemnification by Business Associate: 1. Business Associate shall maintain or cause to be maintained the following insurance covering itself and each subcontractor or agent, if any, through whom Business Associate provides services: (a) A policy of commercial general liability and property damage insurance with limits of liability of not less than one (1) million dollars ($1,000,000) per occurrence and three (3) million dollars ($3,000,000) annual aggregate; and (b) For Business Associates who will have access to material PHI and/or sensitive personal and/or economic information, Business Associate shall provide and maintain Data Privacy and Security Insurance (Cyberliability and electronic data processing Insurance), providing for at least the following coverages arising from the loss, theft or unauthorized use or disclosure of PHI and/or sensitive personal and/or economic information: i. $1million ($1,000,000) limits of third party liability coverage; ii. breach notification costs and expenses; iii. attorneys fees; 8

9 iv. expenses associated with the establishment of Call-in Centers; v. imposition of administrative damages including but not limited to, fines, penalties and other assessments, however defined, against Business Associates and/or its subcontractors or agents, if any. (c) Such insurance coverage shall apply to all site(s) of Business Associate and to all Services provided by Business Associate and/or any subcontractors or agents under the accompanying Underlying Agreement and/or this Business Associate Agreement. 2. Business Associate shall promptly respond to any questions regarding its Insurance and Indemnification including, but not limited to, providing evidence of coverages, naming UH as a certificateholder, within five (5) business days of written request by UH. 3. Business Associate shall indemnify and hold Covered Entity, its directors, officers, employees and agents harmless from any and all claims, demands, liabilities, judgments, cause of action of any nature for any relief, and elements of recovery, damages and/or loss recognized by law, including, but not limited to, reasonable attorneys fees, defense costs and expenses, costs of breach notification and mitigation, and regulatory investigations, incurred by Covered Entity as a result of or arising from a Breach of the Underlying Agreement and/or the within BAA including, but not limited to, its duties, obligations and/or responsibilities as a Business Associate, for itself and its Contractors, caused by Business Associate s actions or inactions and/or those of any contractor, subcontractor, agent, employee and/or representative who will perform any services under the Underlying Agreement and/or the within BAA for or on behalf of the party to this BAA who is defined as the Business Associate. This indemnity shall not be construed to limit Covered Entity s rights, if any, to common law indemnity. Covered Entity retains the final right of approval of any and all communications to its patients, employees, media, regulators and/or any other party whom Covered Entity may be obligated to notify. Covered Entity shall have the option, at its sole discretion, to employ attorneys selected by it to defend any such action, or to provide advice regarding breach notification, the costs and expenses of which shall be the responsibility of the Business Associate. These indemnities shall survive termination and/or expiration of the Underlying Agreement and/or this Business Associate Agreement for any reason. C. Business Associate agrees and acknowledges that the provisions of this BAA shall be strictly construed. D. HIPAA makes the Business Associate and/or Contractors directly liable for violations of HIPAA, the HITECH Act, the HIPAA Regulations, subject to the submission of compliance reports to governmental and all enforcement agencies as required, and subject to civil monetary and criminal penalties for violations, as may be imposed. Business Associates and/or Contractors are subject to the provisions of this Business Associate Agreement as well as for contractual liability under this Business Associate Agreement. E. HIPAA makes the Business Associate and/or Contractors directly responsible for compliance with the HIPAA Administrative and Technical Safeguards for Electronic PHI, to report Breaches of Unsecured PHI to the Covered Entity, to periodic audits related to the Underlying Agreement and/or this BAA, and to indemnify the Covered Entity for Section V. Remedies in Event of Breach. 9

10 VI. Miscellaneous A. Independent Contractor or Agent. 1. None of the provisions of this BAA and/or the Underlying Agreement are intended to create nor shall be deemed or construed to have created any relationship between the Parties other than that of independent entities contracting with each other solely for the purposes of effecting the provisions of the Underlying Agreement and the within BAA unless otherwise explicitly stated in this BAA or the Underlying Agreement. None of the Parties or any of their respective representatives shall be construed to be the agent, employer, or representative of the other. 2. No Contractor, as that term is defined in the within Agreement, shall be construed to be the agent, employee or the representative of the party to the within Agreement who is defined as the Covered Entity and shall not have, or be deemed to have had, authority to represent or act for or on behalf of the Covered Entity. 3. Whether the party to the within Agreement who is defined as the Business Associate and its Contractors, as that term is defined in the within Agreement, are agents of each other and whether they have, or shall be deemed to have had, authority to represent or act for or on behalf of the other, shall be determined on a case-by-case basis under federal common law agency principles. B. Detrimental Reliance By Covered Entity. Business Associate agrees and acknowledges that its covenants, duties, obligations and assurances herein shall be detrimentally relied upon by Covered Entity in choosing to commence or continue a business relationship with Business Associate. Covered Entity shall not be liable to Business Associate for any claim, loss, or damage relating to Business Associate s use or disclosure of any information received from Covered Entity or from any other source. C. Regulatory References. Any reference herein to law means the law as in effect or as amended from time to time, except that any standards or implementation specifications described herein that have been added or modified by the HIPAA Omnibus Final Rule shall have a compliance date of September 23, D. Construction. The BAA shall be construed broadly and any ambiguity shall be resolved in favor of a meaning that complies and is consistent with applicable law. E. Severability. In the event that any provision of this BAA violates any applicable statute, ordinance or rule of law in any jurisdiction that governs this BAA, such provision shall be ineffective to the extent of such violation without invalidating any other provision of this BAA. F. Authority. The signatories below have the right and authority to execute this BAA for their respective entities and no further approvals are necessary to create a binding agreement. G. Covered Entity s Notices To Business Associate. Covered Entity s Notices to Business Associate are available on the UH Compliance website at 10

11 Such Notices include, but are not limited to (i) any limitations in the Covered Entity s Notices of Privacy Practices that may affect the Business Associate, (ii) any changes in, or revocation of, permission by an Individual to use or disclose PHI, or (iii) any restriction in the use and/or disclosure of PHI that Covered Entity has agreed to. H. Compliance With State Law. Business Associate agrees and acknowledges that as the holder of individually identifiable health information it is subject to New Jersey law. In the event of any conflict between federal health care laws and New Jersey law, the Business Associate shall comply with the more restrictive provision. I. Conflict Among Contracts. Should there be conflict between the terms of this BAA and any other contract between the Parties (either previous or subsequent to the date of this BAA), the terms of this BAA shall control unless the Parties, in a subsequent writing, specifically otherwise provide. J. Modification. This BAA may only be modified by a writing signed by the Parties. The Parties agree to take such action subsequent to this BAA as necessary to amend the BAA from time to time as necessary for the Parties to comply with the requirements of any applicable law. K. Notices to Parties. Any notice required or permitted under this BAA to be given shall be made in writing and shall be sent either by hand delivery and/or by overnight mail through a courier with a reliable system for tracking delivery to: To UNIVERSITY HOSPITAL: To BUSINESS ASSOCIATE: Name/Title: James Gonzalez Name/Title: President and Chief Executive Officer Address: University Hospital Address: 150 Bergen Street President s Office, Floor D215 Newark, NJ L. Headings. Section headings contained in the within Agreement are for convenience or reference only and shall not be deemed a part of this Agreement or have any binding legal effect. M. Counterparts. This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument. SIGNATURES ON NEXT PAGE 11

12 IN WITNESS WHEREOF, the Parties have executed this Business Associate Agreement the day and year written below but it shall be made effective as of the Effective Date of the Underlying Agreement. UNIVERSITY HOSPITAL: By: James Gonzalez President and Chief Executive Officer University Hospital 150 Bergen Street, President s Office, Floor D215 Newark, New Jersey Date: BUSINESS ASSOCIATE: [ ] By: Name: Title: Address: Date: Version 5.0 Compliance Date: September 23, 2013 Rev. March 12,

School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered

BUSINESS ASSOCIATE AGREEMENT 1. The terms and conditions of this document entitled Business Associate Agreement ( Business Associate Agreement ), shall be attached to and incorporated by reference in the

BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) is entered into by and between (the Covered Entity ), and Iowa State Association of Counties (the Business Associate ). RECITALS

Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

This (hereinafter referred to as Addendum ) by and between Athens Area Health Plan Select, Inc. (hereinafter referred to as HPS ) a Covered Entity under HIPAA, and INSERT ORG NAME (hereinafter referred

HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

HIPAA BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ), entered into and effective this day of,, is by and between ( Business Associate ) and Black, Gould & Associates, Inc.

HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT is made and entered into as of the day of, 2013 ( Effective Date ), by and between [Physician Practice] on behalf of itself and each of its

BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (this Agreement ) is made effective as of ( Effective Date ) by and between Sentara Health Plans, Inc. ( Covered Entity ) and ( Business Associate

FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance

BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is by and between ( Covered Entity )and CONEX Med Pro Systems ( Business Associate ). This Agreement has been attached to,

This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity

CATHOLIC SOCIAL SERVICES BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (Agreement) is made this day of, 20, between the Catholic Social Services ( CSS ), whose business address is 3710

HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the "Agreement") is made and entered into this day of,, by and between Quicktate and idictate ("Business Associate") and ("Covered Entity").

Dear Vendor, As you may be aware, the Omnibus Rule was finalized on January 25, 2013 and took effect on March 26, 2013. Under the Health Insurance Portability & Accountability Act (HIPAA) and the Omnibus

BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor

SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

Business Associate Agreement This Business Associate Agreement (this "Agreement") is made as of, 201_ (the Effective Date ), and is entered into between ( Covered Entity ) and Delta Business System, Inc.

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): THIS AGREEMENT is made by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC., located at 450 Clarkson Ave., Brooklyn,

BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (the AGREEMENT ) is entered into this (the "Effective Date"), between Delta Dental of Tennessee ( Covered Entity ) and ( Business Associate

BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ), is made effective as of the sign up date on the login information page of the CarePICS.com website, by and between CarePICS,

BUSINESS ASSOCIATE ADDENDUM This BUSINESS ASSOCIATE ADDENDUM (this Addendum ) is made and entered into as of July 1, 2012, ( Effective Date ) and supplements and is made a part of the services agreement

BUSINESS ASSOCIATE AGREEMENT 1. DEFINITIONS: 1.1 Undefined Terms: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms defined by the Health Insurance Portability

Business Associate and Data Use Agreement This Business Associate and Data Use Agreement (the Agreement ) is entered into by and between ( Covered Entity ) and HealtHIE Nevada ( Business Associate ). W

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( Agreement ) dated as of the signature below, (the Effective Date ), is entered into by and between the signing organization

The Institute of Professional Practice, Inc. Business Associate Agreement This Business Associate Agreement ( Agreement ) effective on (the Effective Date ) is entered into by and between The Institute

Business Associate Agreement This Business Associate Contract (Agreement) is entered into by and between, as a Covered Entity as defined in relevant federal and state law, and HMS Agency, Inc., as their

BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (Hereinafter "Agreement") dated as of, 2013, is made by and between (Hereinafter Covered Entity ) and (Hereinafter Business Associate ). ARTICLE

HIPAA DATE USE AGREEMENT 1 This Data Use Agreement (the "Agreement") is effective as of (the "Agreement Effective Date") by and between ("Covered Entity") and ("Data User"). RECITALS WHEREAS, Covered Entity

HIPAA BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (hereinafter Agreement ) is between COVERED ENTITY NAME (hereinafter Covered Entity ) and BUSINESS ASSOCIATE NAME (hereinafter Business

BUSINESS ASSOCIATE CONTRACTUAL ADDENDUM This HIPAA Addendum ("Addendum") is entered into effective this first day of November 1, 2015, by and between "Business Associate" AND COUNTY OF OTTAWA Ottawa County

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM BETWEEN The Division of Health Care Financing and Policy Herein after referred to as the Covered Entity and (Enter Business

BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is effective as of, 2013, and is by and between SOUTHWEST DEVELOPMENTAL SERVICES, INC. ( Covered Entity ) and ( Business Associate

HSHS BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement, ( Agreement ) is entered into on the date(s) set forth below by and between Hospital Sisters Health System on its own behalf and

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and

DRAFT BUSINESS ASSOCIATES AGREEMENT THIS AGREEMENT is made this day of, 20, by and among, a Corporation organized under the laws of the State of (hereinafter known as "Covered Entity") and organized under

5450F1 (page 1 of 6) Snake River School District No. 52 HIPAA BUSINESS ASSOCIATE AGREEMENT (See also Policy No. 7436, HIPAA Privacy Rule) THIS AGREEMENT is entered into on this day of, 20 by and between

ADDENDUM 5 - BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the BAA ) is effective as of (the Effective Date ) and is entered into by and between, with an address of (the Covered Entity

PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF

HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement and is made between BEST Life and Health Insurance Company ( BEST Life ) and ( Business Associate ). RECITALS WHEREAS, the U.S.

Infinedi HIPAA Business Associate Agreement This Business Associate Agreement ( Agreement ) is entered into this day of, 20 between ( Company ) and Infinedi, LLC, a Limited Liability Corporation, ( Contractor

SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you

BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) by and between OUR LADY OF LOURDES HEALTH CARE SERVICES, INC., hereinafter referred to as Covered Entity, and hereinafter referred

PM-36: Attachment 4 Business Associate Contract Addendum On this day of, 20, the undersigned, [Name of Covered Entity] ("Covered Entity") and [Name of Business Associate] ("Business Associate") have entered

BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) by and between Drexel University ( Hybrid Entity ), with a principal address at 3141 Chestnut Street, Philadelphia, PA 19104,

SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered

BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is entered between ("Covered Entity" or "CE") and, ("Business Associate" or "BA"), collectively the Parties, who agree as follows:

Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is entered into as of the day of, 2013 by and between RUTGERS UNIVERSITY, a Hybrid Entity, on behalf and for the

Business Associate Agreement This Business Associate Agreement (the Agreement ) is made by and between Business Associate, [Name of Business Associate], and Covered Entity, The Connecticut Center for Health,

Business Associate Agreement (BAA) Guidance Introduction The purpose of this document is to provide guidance for creating or updating business associate agreements between your Practice ( Covered Entity

HIPAA POLICY REGARDING BUSINESS ASSOCIATES SCOPE OF POLICY: What Units Are Covered by this Policy?: This policy applies to the following units of Emory University: School of Medicine; School of Nursing;

BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the BAA ) is made and entered into as of the day of, 20, by and between Delta Dental of California (the Covered Entity ) and (the Business

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License

Sample Business Associate Agreement (4. Other Bus. Assoc., Version 6-06-05) This Business Associate Agreement (the Agreement ) is entered into as of, 20, (the Effective Date ) by and between, (the Covered

Business Associate Agreement This Business Associate Agreement (this Agreement ) is entered into as of _September 23_, 2013, (the Effective Date ) by and between Denise T. Nguyen, DDS, PC ( Dental Practice

VERSION DATED AUGUST 2013/TEXAS AND CALIFORNIA This Business Associate Addendum ("Addendum") supplements and is made a part of the service contract(s) ("Contract") by and between St. Joseph Health System

COLUMBIA AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is entered into as of ( Effective Date ) by and between The Trustees of Columbia University in the City of

BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( BA Agreement ) amends, supplements, and is made a part of the Agreement ( Agreement ) entered with Client ( CLIENT ) and International

BUSINESS ASSOCIATE AGREEMENT This Agreement ( Agreement ) is made and entered into this day of [Month], [Year] by and between [Business Name] ( Covered Entity ), [Type of Entity], whose business address

BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into by and between Professional Office Services, Inc., with principal place of business at PO Box 450, Waterloo,

HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is by and between ( Covered Entity ) and Xelex Digital, LLC ( Business Associate ), and is effective as of. WHEREAS,

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( BAA ) is by and between the National Association of Boards of Pharmacy

Preferred Professional Insurance Company Subcontractor Business Associate Agreement THIS SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT ( Agreement ) amends and is made a part of all Services Agreements (as

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013 The City of Philadelphia is a Covered Entity as defined in the regulations

BAC to the Basics: Business Associate Contracts Made Easy Prepared by Jen C. Salyers BAC to the Basics: Business Associate Contracts Made Easy Table of Contents Page I. Approaches to Creating a Business

COVERMYMEDS BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (the Agreement ) is entered into between Covered Entity and CoverMyMeds LLC, a Delaware limited liability company ( Business Associate

BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( the Agreement ) is entered into this day of, 20 by and between the Tennessee Chapter of the American Academy of Pediatrics ( Business Associate

Section C: Data Use Agreement Illinois Department of Healthcare and Family Services And DATA USE AGREEMENT This Data Use Agreement (the Agreement ) is effective as of (the Agreement Effective Date ) by